5
CVSSv2

CVE-2019-0220

Published: 11/06/2019 Updated: 25/06/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

A vulnerability in the Apache HTTP Server could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to the improper handling of URL requests that contain multiple consecutive forward slashes in the URL path component by the affected software. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software. A successful exploit could allow the malicious user to cause the affected software to terminate abnormally, resulting in a DoS condition. Apache has confirmed the vulnerability and released software updates.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheHttp Server2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.12, 2.4.14, 2.4.16, 2.4.17, 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.30, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38
CanonicalUbuntu Linux14.04, 16.04, 18.04, 18.10
DebianDebian Linux8.0, 9.0
FedoraprojectFedora28, 29, 30
OpensuseLeap15.0, 42.3

Vendor Advisories

Severity Unknown Remote Unknown Type Unknown Description AVG-946 apache 2438-1 2439-1 Medium Testing ...
IBM HTTP Server is used by IBM Netezza Performance Portal IBM Netezza Performance Portal has addressed the applicable CVE ...
Several security issues were fixed in the Apache HTTP Server ...
Several vulnerabilities have been found in the Apache HTTP server CVE-2018-17189 Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in mod_http2 By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming data, resulting in denial of service ...
There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server CVE-2019-0211 affects version 9 non-windows platforms only ...
Debian Bug report logs - #920303 apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 23 Jan 2019 20:36:02 UTC Severity: ...
Debian Bug report logs - #920302 apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 23 Jan 2019 20:33:05 UTC Severity: ...
There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server Apache HTTP Server could provide weaker than expected security, caused by URL normalization inconsistencies Apache HTTP Server could allow a local authenticated attacker to gain elevated privileges on the system ...
A vulnerability (CVE-2019-0220) exists in Cosminexus HTTP Server and Hitachi Web Server Affected products and versions are listed below Please upgrade your version to the appropriate version ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4422-1 security () debian org wwwdebianorg/security/ Stefan Fritsch April 03, 2019 wwwdebianorg/security/faq ...
CVE-2019-0220: URL normalization inconsistincies Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 240 to 2439 Description: When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions whil ...